The basics
ISO 27001 control A.8.1 User endpoint devices requires companies to ensure that information processed by, stored on, or accessed through user devices is properly protected. This is important because almost all sensitive information can be accessed through devices like laptops, smartphones, tablets, and similar.
Documentation
ISO 27001 control A.8.1 User endpoint devices can be documented:
- for smaller and mid-sized companies by writing an IT Security Policy or Acceptable Use Policy to define rules for user endpoint devices
- for larger companies by writing a Procedure for Security of Endpoint Devices
- companies of all sizes can also write the Bring Your Own Device Policy that further specifies the rules for private devices that are used for work
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.1 User endpoint devices you might implement the following:
- Technology — the technology to protect user endpoint devices may include software (e.g., authentication software, backup software, antivirus, encryption, etc.), and hardware (reinforced cases and secure cabinets).
- Organization/processes — you should set up a process for defining who is allowed to use which devices, for what purpose, and which safeguards need to be applied. You can document those processes through an IT Security Policy or Acceptable Use Policy, a Procedure for Security of Endpoint Devices, or a Bring Your Own Device Policy.
- People — make employees aware of risk related to endpoint devices, and train them on how to to handle their devices properly, and about what they can and can’t do with them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.1 User endpoint devices: if the information processed by, stored on, or accessed through user devices is properly protected.
